ASAP talking about MMOD. More interesting as it's related to the past (Shuttle), but also a hat tip to launch and landing being safer, and CCP and ASAP seem rather happy with things. Also shows NASA requirements versus Commercial and so on and I do find LOV/C interesting as much as it's one of those impossible things.

So tried to write it up in an article and added a bunch of cool Nathan L2 renders to make it pretty.

The article mentions information gained from Cargo Dragon and MMODs. I'm curious as to the percentage (If any) of hits/close calls, in the vicinity of the SDs that surround and help inform the new OML.

Chris Whoever loves correction loves knowledge, but he who hates reproof is stupid.

To the maximum extent practicable, the Federal Government shall plan missions to accommodate the space transportation services capabilities of United States commercial providers. US law http://goo.gl/YZYNt0

"I think it would be great to be born on Earth and to die on Mars. Just hopefully not at the point of impact." -Elon Musk"We're a little bit like the dog who caught the bus" - Musk after CRS-8 S1 successfully landed on ASDS OCISLY

You can't assure safety even while walking across the street. 1/270 is the standard, if I understood the article, because that's what Orion is supposed to have. That the CC contractors apparently haven't met that 1/270 PBRA is causing concern. But NASA has dumped truckloads of money into Orion, more than Boeing and SpaceX combined have spent on their vehicles (I wonder how the expenditures on Orion/MPCV compare to what SpaceX has spent in its entire existence as a company). It strikes me as odd to expect SpaceX and Boeing to meet a standard set by NASA's own, better-funded, safety-first vehicle.

And the 1/270 is a paper standard for a vehicle that has flown once, in what was more or less a boilerplate configuration. Admittedly, the statistical tools used have come a long way from those described in Feynman's appendix to the 51-L accident investigation, but there will always be known-unknowns and unknown-unknowns, no matter how smart the people who draw up the PBRAs.

I'm not foolhardy, and frequently tell my own children that life is basically one big risk-benefits analysis. Either traveling to orbit is worth assuming a 0.5-1% or so risk of death, or it isn't. It will be a long time before we demonstrate space travel as being much safer than that.

You can't assure safety even while walking across the street. 1/270 is the standard, if I understood the article, because that's what Orion is supposed to have. That the CC contractors apparently haven't met that 1/270 PBRA is causing concern. But NASA has dumped truckloads of money into Orion, more than Boeing and SpaceX combined have spent on their vehicles (I wonder how the expenditures on Orion/MPCV compare to what SpaceX has spent in its entire existence as a company). It strikes me as odd to expect SpaceX and Boeing to meet a standard set by NASA's own, better-funded, safety-first vehicle.

And the 1/270 is a paper standard for a vehicle that has flown once, in what was more or less a boilerplate configuration. Admittedly, the statistical tools used have come a long way from those described in Feynman's appendix to the 51-L accident investigation, but there will always be known-unknowns and unknown-unknowns, no matter how smart the people who draw up the PBRAs.

I'm not foolhardy, and frequently tell my own children that life is basically one big risk-benefits analysis. Either traveling to orbit is worth assuming a 0.5-1% or so risk of death, or it isn't. It will be a long time before we demonstrate space travel as being much safer than that.

When Boeing and SpaceX were contracted for CCP the full set of requirements was not complete. The PBRA is just one example. SpaceX and Boeing were both fully informed about this before they signed the contracts.So, both knew that additional (and tighter) requirements could (and would) be forthcoming. Both agreed to CCP anyway. That's just the nature of the business. NASA is trying something new and it is unrealistic to expect that every little detail was fully known and understood in advance. Much like COTS once was, CCP is a learning school for both industry and NASA.

ASAP in my opinion is just making things a lot harder by being afraid of having the first unforeseen (as opposed to avoidable) LOC during the run of the program. So they try to terminate every little identified risk. Trouble is however, there will always be unknown unknowns. Those one generally cannot guard against very well.

This may be a naive question, but why don't they stick some hi-def cameras around the heat shield and check for MMOD damage visually?

A MMOD hit on the heat shield is not the only place or way damage that would cause LO(M,C,V) could occur. The pressure vessel itself is not invulnerable. And as the article noted, a hit on a coolant loop could cause LOM during the shuttle days; fuel cells caused early EOM as well a couple of times.

I believe the vehicles that visit ISS will be inspected for external damage before departure (or did I imagine seeing that?) but that only helps some of the cases. And suppose you take a hit on the heat shield after you jettison the service module following the deorbit burn, when no inspection would help. Welp.

Woods170 was right. The complexity of the risk analysis requires it to always be changing, and you would hope that you are able to reduce some of the risks as you gain more knowledge of your vehicle and its environment. NASA is terribly risk-averse, for understandable reasons; but at some level, the only truly 100% risk-free spaceflight is no spaceflight at all.

This may be a naive question, but why don't they stick some hi-def cameras around the heat shield and check for MMOD damage visually?

A MMOD hit on the heat shield is not the only place or way damage that would cause LO(M,C,V) could occur. The pressure vessel itself is not invulnerable. And as the article noted, a hit on a coolant loop could cause LOM during the shuttle days; fuel cells caused early EOM as well a couple of times.

I believe the vehicles that visit ISS will be inspected for external damage before departure (or did I imagine seeing that?) but that only helps some of the cases. And suppose you take a hit on the heat shield after you jettison the service module following the deorbit burn, when no inspection would help. Welp.

Woods170 was right. The complexity of the risk analysis requires it to always be changing, and you would hope that you are able to reduce some of the risks as you gain more knowledge of your vehicle and its environment. NASA is terribly risk-averse, for understandable reasons; but at some level, the only truly 100% risk-free spaceflight is no spaceflight at all.

Emphasis mine.That's a fact. Let's hope it never comes to that.

IMO it's a good thing to dare to take risks. Let's look for example at one of those projects you once worked on Jeff. At the time of launch of the IRAS observatory the risk of the dewar-cover being stuck to the dewar was not entirely eliminated (stiction due to slightly over-sized O-ring seals in the cover). Some of the engineers wanted to postpone the launch, warm-up the dewar, fix the (potential) issue and do all pre-launch preps all over again. That would have meant a six months delay to the mission.Fortunately the mission manager-in-charge showed he had guts and had the launch proceed as planned. The mission was a huge success and eventually the engineers didn't even bother to fix the same (potential) problem with the similar COBE dewar. One of NASA's finer moments IMO.

1/270 is the standard, if I understood the article, because that's what Orion is supposed to have. That the CC contractors apparently haven't met that 1/270 PBRA is causing concern. But NASA has dumped truckloads of money into Orion, more than Boeing and SpaceX combined have spent on their vehicles (I wonder how the expenditures on Orion/MPCV compare to what SpaceX has spent in its entire existence as a company). It strikes me as odd to expect SpaceX and Boeing to meet a standard set by NASA's own, better-funded, safety-first vehicle.

And the 1/270 is a paper standard for a vehicle that has flown once, in what was more or less a boilerplate configuration.

Has Orion in fact met this standard or is it "going" to meet the standard? (Not to mention the missions are so different that a comparison doesn't make sense, really).

Somehow Soyuz has managed to muddle through things so far. In fact I don't think they've ever lost a Progress to MMOD. Between the two that's a lot of flights. Unless we're saying we can't build a vehicle as safe as a Soyuz I have to think this is all a little bit overblown.

If I recall correctly, NASA wanted to lower the risk of LOC / LOV down to something more like 1/500, but then realized that because of the risk of MMOD strikes, it could not get the risk level down that low. The overall risk is high because if a hit occurs on a vital system, the results are catastrophic.

It's the same reason some people are scared of air travel; the risk of something going wrong on any one flight is very low, but when something does go wrong, the risk is high that everybody dies.

Also, just because something bad has turned out ok many times before, doesn't mean the risk is not that big. See: Shuttle and o-ring burn through / insulating foam strikes. It's just a matter of time before a MMOD strike disables a vehicle and / or kills a crew in orbit.

Logged

"One bit of advice: it is important to view knowledge as sort of a semantic tree -- make sure you understand the fundamental principles, ie the trunk and big branches, before you get into the leaves/details or there is nothing for them to hang on to." - Elon Musk"There are lies, damned lies, and launch schedules." - Larry J

And 65,000 pedestrians are hit by a car every year just in the US. It's always something, and not even hiding in bed can eliminate risk; gas furnaces and water heaters go boom, you could throw a blood clot, etc.

1/270 is the standard, if I understood the article, because that's what Orion is supposed to have. That the CC contractors apparently haven't met that 1/270 PBRA is causing concern. But NASA has dumped truckloads of money into Orion, more than Boeing and SpaceX combined have spent on their vehicles (I wonder how the expenditures on Orion/MPCV compare to what SpaceX has spent in its entire existence as a company). It strikes me as odd to expect SpaceX and Boeing to meet a standard set by NASA's own, better-funded, safety-first vehicle.

And the 1/270 is a paper standard for a vehicle that has flown once, in what was more or less a boilerplate configuration.

Has Orion in fact met this standard or is it "going" to meet the standard? (Not to mention the missions are so different that a comparison doesn't make sense, really).

Somehow Soyuz has managed to muddle through things so far. In fact I don't think they've ever lost a Progress to MMOD. Between the two that's a lot of flights. Unless we're saying we can't build a vehicle as safe as a Soyuz I have to think this is all a little bit overblown.

There has been 0 losses due to MMOD. But let's add the robotic crafts:

Progress 150Dragon 11TKS 9Cygnus 6ATV 5Total 181HTV 5

Also zero losses due to MMOD.

May be it is because no spacecraft has been in space long enough? Shuttle definitely never stayed too long. But Soyuz and Progress have stayed a lot up, but at 270 flights including short trips and failed launches, they haven't actually done 270 210-day stays. That's 155 years of orbit time, btw.

1/270 is the standard, if I understood the article, because that's what Orion is supposed to have. That the CC contractors apparently haven't met that 1/270 PBRA is causing concern. But NASA has dumped truckloads of money into Orion, more than Boeing and SpaceX combined have spent on their vehicles (I wonder how the expenditures on Orion/MPCV compare to what SpaceX has spent in its entire existence as a company). It strikes me as odd to expect SpaceX and Boeing to meet a standard set by NASA's own, better-funded, safety-first vehicle.

And the 1/270 is a paper standard for a vehicle that has flown once, in what was more or less a boilerplate configuration.

Has Orion in fact met this standard or is it "going" to meet the standard? (Not to mention the missions are so different that a comparison doesn't make sense, really).

Somehow Soyuz has managed to muddle through things so far. In fact I don't think they've ever lost a Progress to MMOD. Between the two that's a lot of flights. Unless we're saying we can't build a vehicle as safe as a Soyuz I have to think this is all a little bit overblown.

There has been 0 losses due to MMOD. But let's add the robotic crafts:

Progress 150Dragon 11TKS 9Cygnus 6ATV 5Total 181HTV 5

Also zero losses due to MMOD.

May be it is because no spacecraft has been in space long enough? Shuttle definitely never stayed too long. But Soyuz and Progress have stayed a lot up, but at 270 flights including short trips and failed launches, they haven't actually done 270 210-day stays. That's 155 years of orbit time, btw.

Every flight to space has had MMOD strikes. The Shuttle has had damaged systems from MMOD strikes. STS-7 had a window so badly damaged from a strike that it had to be replaced. The Shuttle's radiators have had several large MMOD strikes, some just barely missing the main cooling loops, if those were damaged, mission control would have considered aborting.

Again, just because there haven't been catastrophic failures doesn't mean there is no risk.

The overall risk level is still high because a MMOD strike to a critical system could easily cause loss of crew or vehicle.

"One bit of advice: it is important to view knowledge as sort of a semantic tree -- make sure you understand the fundamental principles, ie the trunk and big branches, before you get into the leaves/details or there is nothing for them to hang on to." - Elon Musk"There are lies, damned lies, and launch schedules." - Larry J

For those who don't know, the way engineers assess risk is with Risk Priority Number spreadsheets. Basically the risk is broken down into 3 parts: the possible Severity of the risk, the Frequency or Occurrence of the risk, and the ability to Detect or Prevent the risk. Each part is given a number between 1 and 10, one being the least and 10 the most. These numbers are then multiplied together, with the final number assessing the risk on a scale of 1-1000. Then risks with the highest numbers are given the highest priority for correction or reduction.

We already know that the potential severity of a MMOD strike is that it could cause loss of vehicle or the crew, so that's a 10. We know that MMOD strikes occur on every spaceflight, so that's also a 10. The ability to detect MMOD strikes or prevent them from causing catastrophic failure is the key here. The Shuttle, for example, had multiple coolant loops in its radiators, so if one was damaged it could be shut down. NASA also installed additional layers of shielding over the main coolant loops to prevent or reduce damage in the event of a direct hit. However, even though the risk of damage is reduced, it still hasn't been eliminated, so it will always be higher than 1. I would say it can't be less than 5, which would be a moderate likelihood that current MMOD mitigation will prevent catastrophic damage. So based on the numbers 10, 10, and 5, the overall Risk Priority Number is 500. A high risk, and that's being generous, I'd guess that NASA has assigned an even higher risk level than this.

Logged

"One bit of advice: it is important to view knowledge as sort of a semantic tree -- make sure you understand the fundamental principles, ie the trunk and big branches, before you get into the leaves/details or there is nothing for them to hang on to." - Elon Musk"There are lies, damned lies, and launch schedules." - Larry J

I can see Loss of Mission, but I think that they are being overly pessimistic on Loss of Crew. It would take an awful lot of bad luck for the crew to die from an impact that would otherwise cause a mission to be aborted, either through re-entry or staying/return to ISS. Something like a window being blown out because of damage. All life support taken out, including the seat loops. Heat shield with a hole big enough to let plasma enter and destroy the craft (remember, the shield already has holes in it). Something big enough to penetrate the hull and a crew-member (or secondary projectiles from such a hit). That sort of thing.

Chris Whoever loves correction loves knowledge, but he who hates reproof is stupid.

To the maximum extent practicable, the Federal Government shall plan missions to accommodate the space transportation services capabilities of United States commercial providers. US law http://goo.gl/YZYNt0

1/270 is the standard, if I understood the article, because that's what Orion is supposed to have. That the CC contractors apparently haven't met that 1/270 PBRA is causing concern. But NASA has dumped truckloads of money into Orion, more than Boeing and SpaceX combined have spent on their vehicles (I wonder how the expenditures on Orion/MPCV compare to what SpaceX has spent in its entire existence as a company). It strikes me as odd to expect SpaceX and Boeing to meet a standard set by NASA's own, better-funded, safety-first vehicle.

And the 1/270 is a paper standard for a vehicle that has flown once, in what was more or less a boilerplate configuration.

Has Orion in fact met this standard or is it "going" to meet the standard? (Not to mention the missions are so different that a comparison doesn't make sense, really).

Somehow Soyuz has managed to muddle through things so far. In fact I don't think they've ever lost a Progress to MMOD. Between the two that's a lot of flights. Unless we're saying we can't build a vehicle as safe as a Soyuz I have to think this is all a little bit overblown.

There has been 0 losses due to MMOD. But let's add the robotic crafts:

Progress 150Dragon 11TKS 9Cygnus 6ATV 5Total 181HTV 5

Also zero losses due to MMOD.

May be it is because no spacecraft has been in space long enough? Shuttle definitely never stayed too long. But Soyuz and Progress have stayed a lot up, but at 270 flights including short trips and failed launches, they haven't actually done 270 210-day stays. That's 155 years of orbit time, btw.

Let's not forget the X-37B staying up for two years at a time with a TPS similar to the shuttle.

And 65,000 pedestrians are hit by a car every year just in the US. It's always something, and not even hiding in bed can eliminate risk; gas furnaces and water heaters go boom, you could throw a blood clot, etc.

No one gets out of life alive. Get on with it....

That's not a very good comparison. The risk of having a lethal car accident is .01%/yr in the US.

Not many civilian activities carry a 1% risk of dying. The most lethal job in the US is logging, 127.8 fatalities per 100,000 or 0.1%/yr. Some people do more dangerous things for fun: BASE jumping had a 1/60 fatality rate in 2006. That's the only sport that gets above 1%.That puts spaceflight close to the top of a very narrow pyramid. 1% is a percentage worth putting effort into lowering it.

And 65,000 pedestrians are hit by a car every year just in the US. It's always something, and not even hiding in bed can eliminate risk; gas furnaces and water heaters go boom, you could throw a blood clot, etc.

No one gets out of life alive. Get on with it....

That's not a very good comparison. The risk of having a lethal car accident is .01%/yr in the US.

And 65,000 pedestrians are hit by a car every year just in the US. It's always something, and not even hiding in bed can eliminate risk; gas furnaces and water heaters go boom, you could throw a blood clot, etc.

No one gets out of life alive. Get on with it....

That's not a very good comparison. The risk of having a lethal car accident is .01%/yr in the US.

The more expensive a project is, the more man-hours it requires. The more man-hours, the more chance of an industrial accident, like workers falling from scaffolding, being crushed by slung loads, etc.

So there's a very, very good /worker safety/ argument that increasing safety for just the astronauts is not worth it if it causes the project to balloon in cost.

Chris Whoever loves correction loves knowledge, but he who hates reproof is stupid.

To the maximum extent practicable, the Federal Government shall plan missions to accommodate the space transportation services capabilities of United States commercial providers. US law http://goo.gl/YZYNt0

It seems to me that the magnitude of the strike (size*mass*delta-v*burst-quantity) needs to be taken into account. Low delta-v, low size and mass strikes are probably a lot more common then higher magnitude strikes, and are easier to defend against and mitigate. Given that we have 50+ years of history in LEO, we should have a pretty good statistical model of the breakdown of the distribution of such events. Is this not being taken into the risk calculations?

For those who don't know, the way engineers assess risk is with Risk Priority Number spreadsheets. Basically the risk is broken down into 3 parts: the possible Severity of the risk, the Frequency or Occurrence of the risk, and the ability to Detect or Prevent the risk. Each part is given a number between 1 and 10, one being the least and 10 the most. These numbers are then multiplied together, with the final number assessing the risk on a scale of 1-1000. Then risks with the highest numbers are given the highest priority for correction or reduction.

We already know that the potential severity of a MMOD strike is that it could cause loss of vehicle or the crew, so that's a 10. We know that MMOD strikes occur on every spaceflight, so that's also a 10. The ability to detect MMOD strikes or prevent them from causing catastrophic failure is the key here. The Shuttle, for example, had multiple coolant loops in its radiators, so if one was damaged it could be shut down. NASA also installed additional layers of shielding over the main coolant loops to prevent or reduce damage in the event of a direct hit. However, even though the risk of damage is reduced, it still hasn't been eliminated, so it will always be higher than 1. I would say it can't be less than 5, which would be a moderate likelihood that current MMOD mitigation will prevent catastrophic damage. So based on the numbers 10, 10, and 5, the overall Risk Priority Number is 500. A high risk, and that's being generous, I'd guess that NASA has assigned an even higher risk level than this.

That's not how I was taught probabilities. In this particular case, they are worrying only about LOC. So you need to calculate P(MMOD) x P(LOC|MMOD) and minimize that. The critical part being, obviously, the second term. The way you propose overestimates risks with low LOC probabilities but high frequency.

No mission has ever been lost due to MMOD. ISS and MIR both huge, neither had major accident due to MMOD. I bet you could reduce this risk to very low levels if you blocked up the windows.

You would think the skin of the ISS would show quite a record of MMOD damage after all these years in orbit.

It surely does. I was at the NASM last week and saw WFPC2 on display. The outer panel of WFPC2, which was exposed to space on HST for over 10 years, had many impact sites cored out for analysis.

As noted above, MMOD is no laughing matter. While no people have died in space from it, IIRC several satellites are believed to have been damaged or rendered inoperable due to MMOD. The odds of a LOM/C/V cannot be reduced to zero. You minimize the risk, and then either you fly, or you stand down if you are unable or unwilling to accept the risk.

For those who don't know, the way engineers assess risk is with Risk Priority Number spreadsheets. Basically the risk is broken down into 3 parts: the possible Severity of the risk, the Frequency or Occurrence of the risk, and the ability to Detect or Prevent the risk. Each part is given a number between 1 and 10, one being the least and 10 the most. These numbers are then multiplied together, with the final number assessing the risk on a scale of 1-1000. Then risks with the highest numbers are given the highest priority for correction or reduction.

We already know that the potential severity of a MMOD strike is that it could cause loss of vehicle or the crew, so that's a 10. We know that MMOD strikes occur on every spaceflight, so that's also a 10. The ability to detect MMOD strikes or prevent them from causing catastrophic failure is the key here. The Shuttle, for example, had multiple coolant loops in its radiators, so if one was damaged it could be shut down. NASA also installed additional layers of shielding over the main coolant loops to prevent or reduce damage in the event of a direct hit. However, even though the risk of damage is reduced, it still hasn't been eliminated, so it will always be higher than 1. I would say it can't be less than 5, which would be a moderate likelihood that current MMOD mitigation will prevent catastrophic damage. So based on the numbers 10, 10, and 5, the overall Risk Priority Number is 500. A high risk, and that's being generous, I'd guess that NASA has assigned an even higher risk level than this.

That's not how I was taught probabilities. In this particular case, they are worrying only about LOC. So you need to calculate P(MMOD) x P(LOC|MMOD) and minimize that. The critical part being, obviously, the second term. The way you propose overestimates risks with low LOC probabilities but high frequency.

What I described is part of Failure Mode and Effects Analysis (FMEA), specifically the Risk Priority Number (RPN) analysis. It allows for an analysis to determine what failure mode has the highest risk and needs to be given priority to reduce or eliminate it. FMEA been around for a long time, and has had several different methods for risk assessment associated with it. An RPN analysis is certainly not the only way to assess risk, just the one I've been taught and use most often. I'm not surprised you asses risk in a different way.

My point was to demonstrate that even though there has never been a catastrophic failure of a spacecraft or a space station due to a MMOD strike, the overall risk that such a failure could happen is still high.

Logged

"One bit of advice: it is important to view knowledge as sort of a semantic tree -- make sure you understand the fundamental principles, ie the trunk and big branches, before you get into the leaves/details or there is nothing for them to hang on to." - Elon Musk"There are lies, damned lies, and launch schedules." - Larry J

No mission has ever been lost due to MMOD. ISS and MIR both huge, neither had major accident due to MMOD. I bet you could reduce this risk to very low levels if you blocked up the windows.

You would think the skin of the ISS would show quite a record of MMOD damage after all these years in orbit.

It does. There are dozens of small strikes and probably thousands of small ones. Likely millions of tiny ones. There are pits in the Cupola window, holes through the solar arrays and radiator panels, and lots of examples of damage to the micrometeorite blankets.

Example, one of the get-ahead tasks performed on the last spacewalk was photographing the MMOD blankets on the Alpha Magnetic Spectrometer to see if they need to be replaced.

"One bit of advice: it is important to view knowledge as sort of a semantic tree -- make sure you understand the fundamental principles, ie the trunk and big branches, before you get into the leaves/details or there is nothing for them to hang on to." - Elon Musk"There are lies, damned lies, and launch schedules." - Larry J

Given that we have 50+ years of history in LEO, we should have a pretty good statistical model of the breakdown of the distribution of such events. Is this not being taken into the risk calculations?

There is far more orbital debris today than there was at the dawn of spaceflight, giving most of the history limited utility. As with many things spaceflight, there is a small sample size leaving a lot of room for interpretation via statistics.

I remember back in the Shuttle era they had unreasonably low goals for LOV/C (1-in-1000 IIRC), which was addressed after the first bright spotlight shone on it, ultimately resulting in the 'about 1-in-90' number cited in the article. And yet, Ares somehow jumped back to a mythical 1-in-1000 number before getting reined in.

It is hard to ignore the tension between political needs (hard to sell 1-in-90 for funding) and engineering reality. The current MMOD model is noted as 'speculative', 'quite robust', 'perhaps too robust'. So making pessimistic assumptions at the top allows closing the gap later via revision of the model. And in the meantime, MMOD makes a much safer primary factor than what may be reported, in some places, as vehicle 'flaws' being primary factors. Yes, I am getting rather cynical...

Again, just because there haven't been catastrophic failures doesn't mean there is no risk.

Literally nobody is saying that. Why do you keep repeating it like someone is?

Quote

The overall risk level is still high because a MMOD strike to a critical system could easily cause loss of crew or vehicle.

Actually, based on the number of LOV (zero) from MMOD damage on a rather large number of flights, this is provably wrong. Depending on your definition of "high", I guess. Certainly the risk level is high compared to flying in an airplane. Compared to the Shuttle risks not associated with MMOD I'd say they are rather low.

So if MMOD is so dangerous. How are Boeing and SpaceX expected to mitigate? Build armor against tank breaking ammunitions?

They wouldn't be expected to stop every possible impact, of course, but would mitigate with methods including armor. Dragon has trunk armor protecting the TPS, and I remember a statement from SpaceX (or Musk, perhaps) regarding how large a hole could be punched in the PV without excessive loss of pressure. Depending on the model, they could for example choose to mitigate up to "x" energy of impact over "y" percentage of the vehicle surface to reduce total risk.The risk goal is "programmatic" risk, which I interpret to mean that ISS safe haven could also mitigate this risk.Larger/brighter orbital debris would be tracked, which should place an upper limit on how severe an impact would be expected to be survivable.

Again, just because there haven't been catastrophic failures doesn't mean there is no risk.

Literally nobody is saying that. Why do you keep repeating it like someone is?

Quote

The overall risk level is still high because a MMOD strike to a critical system could easily cause loss of crew or vehicle.

Actually, based on the number of LOV (zero) from MMOD damage on a rather large number of flights, this is provably wrong. Depending on your definition of "high", I guess. Certainly the risk level is high compared to flying in an airplane. Compared to the Shuttle risks not associated with MMOD I'd say they are rather low.

Tell that to the zero failed flights from o-ring burn through prior to Challenger. Or the zero failed flights due to foam strike on the heat shield tiles prior to Columbia.

Even though there were no failures prior to it happening, the risk was always there!! I've read that the RPN for 0-ring burn through on the SRBs was about 800 - a VERY high number for an RPN - and management decided the risk was acceptable.

I have to keep repeating it because dismissing a potential failure mode with a risk as high as MMOD strike as though there is no risk is wrong.

Logged

"One bit of advice: it is important to view knowledge as sort of a semantic tree -- make sure you understand the fundamental principles, ie the trunk and big branches, before you get into the leaves/details or there is nothing for them to hang on to." - Elon Musk"There are lies, damned lies, and launch schedules." - Larry J

It seems to me that the magnitude of the strike (size*mass*delta-v*burst-quantity) needs to be taken into account. Low delta-v, low size and mass strikes are probably a lot more common then higher magnitude strikes, and are easier to defend against and mitigate. Given that we have 50+ years of history in LEO, we should have a pretty good statistical model of the breakdown of the distribution of such events. Is this not being taken into the risk calculations?

All of these things are absolutely taken into account. Velocity, size, mass, and directionality are all present in the risk assessment calculations.

MMOD is obviously a risk. But I doubt it's greater than risks we haven't fully characterized.

Logged

Chris Whoever loves correction loves knowledge, but he who hates reproof is stupid.

To the maximum extent practicable, the Federal Government shall plan missions to accommodate the space transportation services capabilities of United States commercial providers. US law http://goo.gl/YZYNt0

MMOD is obviously a risk. But I doubt it's greater than risks we haven't fully characterized.

Such as?

Logged

"One bit of advice: it is important to view knowledge as sort of a semantic tree -- make sure you understand the fundamental principles, ie the trunk and big branches, before you get into the leaves/details or there is nothing for them to hang on to." - Elon Musk"There are lies, damned lies, and launch schedules." - Larry J

MMOD is obviously a risk. But I doubt it's greater than risks we haven't fully characterized.

Such as?

Unknown unknowns. I should have been more specific: things not even really considered, not just "not fully characterized."

Logged

Chris Whoever loves correction loves knowledge, but he who hates reproof is stupid.

To the maximum extent practicable, the Federal Government shall plan missions to accommodate the space transportation services capabilities of United States commercial providers. US law http://goo.gl/YZYNt0

"One bit of advice: it is important to view knowledge as sort of a semantic tree -- make sure you understand the fundamental principles, ie the trunk and big branches, before you get into the leaves/details or there is nothing for them to hang on to." - Elon Musk"There are lies, damned lies, and launch schedules." - Larry J

For those who don't know, the way engineers assess risk is with Risk Priority Number spreadsheets. Basically the risk is broken down into 3 parts: the possible Severity of the risk, the Frequency or Occurrence of the risk, and the ability to Detect or Prevent the risk. Each part is given a number between 1 and 10, one being the least and 10 the most. These numbers are then multiplied together, with the final number assessing the risk on a scale of 1-1000. Then risks with the highest numbers are given the highest priority for correction or reduction.

Wow, that method is just wrong. The range should be from 0 to 10, with any real value in between (a mathematician would have any value between 0 and 1). A way better estimate of the risk is

integral from 0 to m_max integral from 0 to v_max S(m*v²/2)*A*T*P(m,v)*D(m) dm dv

where

A = cross sectional area of spacecraftT = time in orbitm = mass of debrism_max = maximum debris massv = velocity of debrisv_max = maximum debris velocityS(E) = severity as a function of impact energyP(m,v) = mass and velocity debris probability distribution per unit area and unit timeD(m) = Detect or Prevent as a function of debris mass

A good engineer should be able to come up with estimates of these functions.

Quote

We know that MMOD strikes occur on every spaceflight, so that's also a 10.

That would result in an over estimation of the risk. Most impacts are very small which have almost zero risk.

Again, just because there haven't been catastrophic failures doesn't mean there is no risk.

Literally nobody is saying that. Why do you keep repeating it like someone is?

Quote

The overall risk level is still high because a MMOD strike to a critical system could easily cause loss of crew or vehicle.

Actually, based on the number of LOV (zero) from MMOD damage on a rather large number of flights, this is provably wrong. Depending on your definition of "high", I guess. Certainly the risk level is high compared to flying in an airplane. Compared to the Shuttle risks not associated with MMOD I'd say they are rather low.

Regrettably, that's not how statistics work. The fact that Shuttle had the failures that it had, and not MMOD, might have been by pure chance. There's not enough statistical samples in all Shuttle history to say otherwise.Challenger was a particularly bad example, because at those temperatures it was to fail. It was almost a certainty. Edward Tufte book is more than clear on that. You use statistics for things that are chance, but if you get out of the specified range, you might get into straight certainties.

I believe it's quite important that we frame the ASAP's problem clearly:They want a probability of LOC to be less than 1/270 chance, for a crewed vehicle that launches, stays docked at the ISS for 210days and returns safely.Launch and return might well be characterized by all launch history. But the 210 days stay is what has (relatively speaking) little history. 210days per 270 means that a ship should be in space 155 years before having a MMOD of a severity that would cause a LOC. And that's actually not true because that assumes that launch and re-entry risks are zero. So the actual target might be 500years or more.Current flight history of every single crewed and robotic ship has zero statistical significance here. This require extensive engineering to came up with good estimations. It will probably also constrain orbital attitudes and such.Let's not forget that Soyuz are docked in aft of ISS, where they are more protected than the USOS fore side. In fact, all Commercial Crew vehicles are docked with their heat shields pointed fore.

For those who don't know, the way engineers assess risk is with Risk Priority Number spreadsheets. Basically the risk is broken down into 3 parts: the possible Severity of the risk, the Frequency or Occurrence of the risk, and the ability to Detect or Prevent the risk. Each part is given a number between 1 and 10, one being the least and 10 the most. These numbers are then multiplied together, with the final number assessing the risk on a scale of 1-1000. Then risks with the highest numbers are given the highest priority for correction or reduction.

Wow, that method is just wrong. The range should be from 0 to 10, with any real value in between (a mathematician would have any value between 0 and 1). A way better estimate of the risk is

integral from 0 to m_max integral from 0 to v_max S(m*v²/2)*A*T*P(m,v)*D(m) dm dv

where

A = cross sectional area of spacecraftT = time in orbitm = mass of debrism_max = maximum debris massv = velocity of debrisv_max = maximum debris velocityS(E) = severity as a function of impact energyP(m,v) = mass and velocity debris probability distribution per unit area and unit timeD(m) = Detect or Prevent as a function of debris mass

A good engineer should be able to come up with estimates of these functions.

Quote

We know that MMOD strikes occur on every spaceflight, so that's also a 10.

That would result in an over estimation of the risk. Most impacts are very small which have almost zero risk.

You've never heard of Failure Mode and Effect Analysis (FMEA)?

Logged

"One bit of advice: it is important to view knowledge as sort of a semantic tree -- make sure you understand the fundamental principles, ie the trunk and big branches, before you get into the leaves/details or there is nothing for them to hang on to." - Elon Musk"There are lies, damned lies, and launch schedules." - Larry J

Let's not forget that Soyuz are docked in aft of ISS, where they are more protected than the USOS fore side. In fact, all Commercial Crew vehicles are docked with their heat shields pointed fore.

Yes, and both Boeing and SpaceX will have shielding in place to lower the risk of MMOD damage to the primary heatshield. For Dragon 2 this is a wipple shield (doubling as an aerodynamic brake for the trunk in case of a pad abort/in-flight abort) at the capsule-to-trunk interface. And CST-100 has got a whole service module protecting the primary heatshield.

Again, just because there haven't been catastrophic failures doesn't mean there is no risk.

Literally nobody is saying that. Why do you keep repeating it like someone is?

Quote

The overall risk level is still high because a MMOD strike to a critical system could easily cause loss of crew or vehicle.

Actually, based on the number of LOV (zero) from MMOD damage on a rather large number of flights, this is provably wrong. Depending on your definition of "high", I guess. Certainly the risk level is high compared to flying in an airplane. Compared to the Shuttle risks not associated with MMOD I'd say they are rather low.

Regrettably, that's not how statistics work. The fact that Shuttle had the failures that it had, and not MMOD, might have been by pure chance. There's not enough statistical samples in all Shuttle history to say otherwise.Challenger was a particularly bad example, because at those temperatures it was to fail. It was almost a certainty. Edward Tufte book is more than clear on that. You use statistics for things that are chance, but if you get out of the specified range, you might get into straight certainties.

The statistical chance of a failure mode occurring can be very low, however, the amount of risk of that failure mode will remain the same, i.e., if a MMOD strike makes a direct hit on a critical system, then you're always going to have a bad day, even if that MMOD strike on a critical system only occurs once in a thousand spaceflights. That risk level can only be reduced by engineering solutions to reduce it.

An example of this is where the Shuttle's radiator got additional MMOD shielding and that directly prevented a MMOD strike from damaging a coolant loop that would have caused a mission abort:

"One bit of advice: it is important to view knowledge as sort of a semantic tree -- make sure you understand the fundamental principles, ie the trunk and big branches, before you get into the leaves/details or there is nothing for them to hang on to." - Elon Musk"There are lies, damned lies, and launch schedules." - Larry J

Again, just because there haven't been catastrophic failures doesn't mean there is no risk.

Literally nobody is saying that. Why do you keep repeating it like someone is?

Quote

The overall risk level is still high because a MMOD strike to a critical system could easily cause loss of crew or vehicle.

Actually, based on the number of LOV (zero) from MMOD damage on a rather large number of flights, this is provably wrong. Depending on your definition of "high", I guess. Certainly the risk level is high compared to flying in an airplane. Compared to the Shuttle risks not associated with MMOD I'd say they are rather low.

Regrettably, that's not how statistics work. The fact that Shuttle had the failures that it had, and not MMOD, might have been by pure chance. There's not enough statistical samples in all Shuttle history to say otherwise.Challenger was a particularly bad example, because at those temperatures it was to fail. It was almost a certainty. Edward Tufte book is more than clear on that. You use statistics for things that are chance, but if you get out of the specified range, you might get into straight certainties.

The statistical chance of a failure mode occurring can be very low, however, the amount of risk of that failure mode will remain the same, i.e., if a MMOD strike makes a direct hit on a critical system, then you're always going to have a bad day, even if that MMOD strike on a critical system only occurs once in a thousand spaceflights. That risk level can only be reduced by engineering solutions to reduce it.

An example of this is where the Shuttle's radiator got additional MMOD shielding and that directly prevented a MMOD strike from damaging a coolant loop that would have caused a mission abort:

I'm pretty well aware of minimazing the chance of maximum damage. May be you wanted to answer some other point of mine? I really don't quite follow your post to mine.But as I said above, for minimizing P(LOC), you want to focus on P(LOC|Event). And while MMOD are high, LOC causing MMOD are less. Thus, the correct assesment is not P(MMOD)*LOCseverity, but P(MMOD)*P(LOC|MMOD) and severity of LOC is the same for every problem.In other words, if a LOC would kill the crew and another vaporize it, but the chance of the former is higher than the latter, you should minimize the first before the second, assuming equal mitigation effort/risk.

You can't assure safety even while walking across the street. 1/270 is the standard, if I understood the article, because that's what Orion is supposed to have. That the CC contractors apparently haven't met that 1/270 PBRA is causing concern.

Returning to your original post Jeff. The key to this whole 1/270 thing is this, as mentioned in Chris' article:

Quote

The key will be to refine the MMOD threat data, which is based on historical flight information and may be – due to NASA requirements – overly conservative.

“The MMOD damage analysis depends on the modeling of the environment, which is in many aspects speculative and quite robust,” added the minutes (from ASAP).

“There are discussions regarding gathering additional historical information to determine if the environmental model is perhaps too robust. All answers are yet to be determined.”

It appears that some of the "pain" of this 1/270 number comes from NASA using overly conservative MMOD environmental models.

If NASA gets uppity about it, say the astronauts have to remain suited the whole time. That'll get approval done for the early missions, then the astronaut corp would get mad and say they don't have to wear the suits.

Maybe add a sublimator cooler, too. If that's a major problem.

Logged

Chris Whoever loves correction loves knowledge, but he who hates reproof is stupid.

To the maximum extent practicable, the Federal Government shall plan missions to accommodate the space transportation services capabilities of United States commercial providers. US law http://goo.gl/YZYNt0

"One bit of advice: it is important to view knowledge as sort of a semantic tree -- make sure you understand the fundamental principles, ie the trunk and big branches, before you get into the leaves/details or there is nothing for them to hang on to." - Elon Musk"There are lies, damned lies, and launch schedules." - Larry J

If NASA gets uppity about it, say the astronauts have to remain suited the whole time. That'll get approval done for the early missions, then the astronaut corp would get mad and say they don't have to wear the suits.

That only protects against LOC from pressure vessel penetration, other factors could also result in LOC that the suits wouldn't help.

If NASA gets uppity about it, say the astronauts have to remain suited the whole time. That'll get approval done for the early missions, then the astronaut corp would get mad and say they don't have to wear the suits.

That only protects against LOC from pressure vessel penetration, other factors could also result in LOC that the suits wouldn't help.

Another major one is loss of coolant. Why did you edit out the sublimator part?

pressure vessel penetration is probably the biggest one, since if that happens, there's not a lot you can do if you're not suited up. With the other things, there are options, provided you're in a somewhat stable orbit (which you will be 99.9% of the time)

Logged

Chris Whoever loves correction loves knowledge, but he who hates reproof is stupid.

To the maximum extent practicable, the Federal Government shall plan missions to accommodate the space transportation services capabilities of United States commercial providers. US law http://goo.gl/YZYNt0

If NASA gets uppity about it, say the astronauts have to remain suited the whole time. That'll get approval done for the early missions, then the astronaut corp would get mad and say they don't have to wear the suits.

That only protects against LOC from pressure vessel penetration, other factors could also result in LOC that the suits wouldn't help.

Another major one is loss of coolant. Why did you edit out the sublimator part?

pressure vessel penetration is probably the biggest one, since if that happens, there's not a lot you can do if you're not suited up. With the other things, there are options, provided you're in a somewhat stable orbit (which you will be 99.9% of the time)

Pressure vessel penetration is probably not the biggest one. Pressure vessels tend to be well-protected. Other systems not so much. Spacecraft repair in-orbit is difficult.

This. Commercial crew and cargo are a new world. The companies involved in this aren't going to release technical information publicly unless either they are required to in their contract or they believe it will serve their interests. These aren't the Shuttle days anymore.

If NASA gets uppity about it, say the astronauts have to remain suited the whole time. That'll get approval done for the early missions, then the astronaut corp would get mad and say they don't have to wear the suits.

That only protects against LOC from pressure vessel penetration, other factors could also result in LOC that the suits wouldn't help.

Another major one is loss of coolant. Why did you edit out the sublimator part?

pressure vessel penetration is probably the biggest one, since if that happens, there's not a lot you can do if you're not suited up. With the other things, there are options, provided you're in a somewhat stable orbit (which you will be 99.9% of the time)

Pressure vessel penetration is probably not the biggest one. Pressure vessels tend to be well-protected. Other systems not so much. Spacecraft repair in-orbit is difficult.

...right, but we're talking loss of crew, not just "oh, my spacecraft is stranded, halp."

Chris Whoever loves correction loves knowledge, but he who hates reproof is stupid.

To the maximum extent practicable, the Federal Government shall plan missions to accommodate the space transportation services capabilities of United States commercial providers. US law http://goo.gl/YZYNt0

This. Commercial crew and cargo are a new world. The companies involved in this aren't going to release technical information publicly unless either they are required to in their contract or they believe it will serve their interests. These aren't the Shuttle days anymore.

You're right, these aren't the Shuttle days, please remind me all of the data that was publicly shared about the detailed LOV statistics that NASA compiled running up to the maiden Shuttle launch again?

If NASA gets uppity about it, say the astronauts have to remain suited the whole time. That'll get approval done for the early missions, then the astronaut corp would get mad and say they don't have to wear the suits.

That only protects against LOC from pressure vessel penetration, other factors could also result in LOC that the suits wouldn't help.

Another major one is loss of coolant. Why did you edit out the sublimator part?

pressure vessel penetration is probably the biggest one, since if that happens, there's not a lot you can do if you're not suited up. With the other things, there are options, provided you're in a somewhat stable orbit (which you will be 99.9% of the time)

Pressure vessel penetration is probably not the biggest one. Pressure vessels tend to be well-protected. Other systems not so much. Spacecraft repair in-orbit is difficult.

...right, but we're talking loss of crew, not just "oh, my spacecraft is stranded, halp."

If NASA gets uppity about it, say the astronauts have to remain suited the whole time. That'll get approval done for the early missions, then the astronaut corp would get mad and say they don't have to wear the suits.

That only protects against LOC from pressure vessel penetration, other factors could also result in LOC that the suits wouldn't help.

Another major one is loss of coolant. Why did you edit out the sublimator part?

pressure vessel penetration is probably the biggest one, since if that happens, there's not a lot you can do if you're not suited up. With the other things, there are options, provided you're in a somewhat stable orbit (which you will be 99.9% of the time)

Pressure vessel penetration is probably not the biggest one. Pressure vessels tend to be well-protected. Other systems not so much. Spacecraft repair in-orbit is difficult.

...right, but we're talking loss of crew, not just "oh, my spacecraft is stranded, halp."

Damage they might not know about until too late. Columbia comes to mind.

Okay, so damage to the heatshield. But the heatshield is protected by the trunk. And before departure (but after undocking), Station can take pictures of the rest of the craft to see if there's a major problem.

And to take Soyuz as an example, the capsule lands ~3 hours after undocking. The odds that dozens of Soyuzes have had no life-threatening MMOD after each spent like 6 months in orbit but that a Dragon has a significant chance of getting a life-threatening hit in just 3 hours after undocking seems very small... You're talking like 1/100,000. More like 1:million because something bad enough to severely damage the capsule but remain undetected is even smaller, especially since the trunk protects the heatshield.

This is why I think the main dangers are from things we haven't fully quantified, yet. MMOD LOC not due to pressure vessel rupture or loss of coolant seems remote. But spaceflight is NOT that safe. So the danger is probably something we haven't fully quantified.

« Last Edit: 08/26/2016 04:11 PM by Robotbeat »

Logged

Chris Whoever loves correction loves knowledge, but he who hates reproof is stupid.

To the maximum extent practicable, the Federal Government shall plan missions to accommodate the space transportation services capabilities of United States commercial providers. US law http://goo.gl/YZYNt0

Damage to heat shields that allow sufficient hot gas intrusion during reentry to result in structural failure.

Damage to propulsion systems (including thrusters, propellant tanks, valves, feedlines, and control hardware) that could result in any of the following: inability to deorbit, inability to control attitude during reentry, leakage of thruster exhaust into spacecraft structure, leakage of unreacted propellant into structure (including potential for hypergolic propellants to mix in places they really shouldnt), bursting of propellant tanks.

Damage to reentry power systems (including batteries, cables, and control equipment) that results in any number of failures, including loss of reentry control and loss of recovery systems.

Damage to spacecraft command and data handling hardware that results in loss of control or loss of recovery systems.

Damage to recovery system hardware that prevents initiation of both primary and backup recovery system deployment.

Damage to cooling systems that results in coolant being released into crew pressure vessel, creating a toxic atmosphere.

There are no doubt several others I haven't thought of for this post. Not all of these are immediately detectable. Not all of those that are detectable are correctable after the fact.

This. Commercial crew and cargo are a new world. The companies involved in this aren't going to release technical information publicly unless either they are required to in their contract or they believe it will serve their interests. These aren't the Shuttle days anymore.

Doesn't NASA set the standards for what goes into deriving the LOC number?

Logged

"Look at that! If anybody ever said, "you'll be sitting in a spacecraft naked with a 134-pound backpack on your knees charging it", I'd have said "Aw, get serious". - John Young - Apollo-16

Okay, so damage to the heatshield. But the heatshield is protected by the trunk. And before departure (but after undocking), Station can take pictures of the rest of the craft to see if there's a major problem.

There's more to the heat shield than the base heat shield. The backshell receives a fair amount of heat as well.

Quote

And to take Soyuz as an example, the capsule lands ~3 hours after undocking. The odds that dozens of Soyuzes have had no life-threatening MMOD after each spent like 6 months in orbit but that a Dragon has a significant chance of getting a life-threatening hit in just 3 hours after undocking seems very small... You're talking like 1/100,000. More like 1:million because something bad enough to severely damage the capsule but remain undetected is even smaller, especially since the trunk protects the heatshield.

These are made-up numbers that fall prey to any number of statistical fallacies. To be clear: there has not yet been enough crewed spaceflight time to provide any statistically significant confirmation of whether the models that drive these risk analyses are overly conservative. The models are made from the best available data, including space surveillance, breakup modeling, and actual hypervelocity impact testing. That said, how do you verify whether a calculated 1/270 chance per flight is correct when there haven't been anywhere near that many flights?

Quote

This is why I think the main dangers are from things we haven't fully quantified, yet. MMOD LOC not due to pressure vessel rupture or loss of coolant seems remote. But spaceflight is NOT that safe. So the danger is probably something we haven't fully quantified.

That you haven't thought of it doesn't mean the folks designing and analyzing these spacecraft haven't.

As I said, just say the astronauts have to wear spacesuits the whole time.

Quote

Damage to heat shields that allow sufficient hot gas intrusion during reentry to result in structural failure.

Again, heat shield is protected by the trunk and damage could be spotted from Station shortly after undocking, and the odds of getting hit in the few hours between undocking and landing are ridiculously small.

Quote

Damage to propulsion systems (including thrusters, propellant tanks, valves, feedlines, and control hardware) that could result in any of the following: inability to deorbit, inability to control attitude during reentry, leakage of thruster exhaust into spacecraft structure, leakage of unreacted propellant into structure (including potential for hypergolic propellants to mix in places they really shouldnt), bursting of propellant tanks.

Again, heat shield is protected by the trunk and damage could be spotted from Station shortly after undocking, and the odds of getting hit in the few hours between undocking and landing are ridiculously small.

And if the propulsion system is damaged, the spacecraft is stranded, not LOC. And Dragon can actually survive ballistic entry.

Those other things you mention could happen, but are incredibly unlikely. Propellants don't stick around and mix in vacuum. Notice this has never happened on Station or Mir or Salyut or Skylab.

Quote

Damage to reentry power systems (including batteries, cables, and control equipment) that results in any number of failures, including loss of reentry control and loss of recovery systems.

Again, heat shield is protected by the trunk and damage could be spotted from Station shortly after undocking, and the odds of getting hit in the few hours between undocking and landing are ridiculously small.

And Dragon can survive ballistic entry and has a manual pull-cord for the chutes.

Quote

Damage to spacecraft command and data handling hardware that results in loss of control or loss of recovery systems.

Again, heat shield is protected by the trunk and damage could be spotted from Station shortly after undocking, and the odds of getting hit in the few hours between undocking and landing are ridiculously small.

And Dragon can survive ballistic entry and has a manual pull-cord for the chutes.

Quote

Damage to recovery system hardware that prevents initiation of both primary and backup recovery system deployment.

Again, heat shield is protected by the trunk and damage could be spotted from Station shortly after undocking, and the odds of getting hit in the few hours between undocking and landing are ridiculously small.

Corner case of corner cases.

Quote

Damage to cooling systems that results in coolant being released into crew pressure vessel, creating a toxic atmosphere.

Again, I suggested the crew keeps their spacesuits on the whole time.

Quote

There are no doubt several others I haven't thought of for this post. Not all of these are immediately detectable. Not all of those that are detectable are correctable after the fact.

Basically they all are detectable. They basically are all correctable (via rescue) as long as you haven't done the deorbit burn yet (in which case you have only minutes of vulnerable time), but still have lots of redundancies even then.

Again, this sounds like corner-cases of corner-cases.

I sincerely, SINCERELY doubt it'll be MMOD that causes the next space disaster.

EDIT:You repeated a lot of the same risks in order to make it sound like a long list. That's why I repeated my responses.

Chris Whoever loves correction loves knowledge, but he who hates reproof is stupid.

To the maximum extent practicable, the Federal Government shall plan missions to accommodate the space transportation services capabilities of United States commercial providers. US law http://goo.gl/YZYNt0

Doesn't NASA set the standards for what goes into deriving the LOC number?

The situations that need to be considered when determining what contributes to LOC depend heavily on the detailed design of the vehicle. It's a discussion between NASA and the contractor and would absolutely contain substantial chunks of proprietary information. NASA handles and respects proprietary information all the time. Because commercial crew and cargo operate under a wholly different structure, we all are going to have to get used to the idea that a lot of the stuff that NASA used to make public during the shuttle days will be held proprietary under these contracts. It's part of the price you pay for commercial space.

Again, heat shield is protected by the trunk and damage could be spotted from Station shortly after undocking, and the odds of getting hit in the few hours between undocking and landing are ridiculously small.

The backshell however is not protected by the trunk/service module and is exposed in a high threat region for long periods of time before reentry, and inspection might not catch the damage.

Again, heat shield is protected by the trunk and damage could be spotted from Station shortly after undocking, and the odds of getting hit in the few hours between undocking and landing are ridiculously small.

The backshell however is not protected by the trunk/service module and is exposed in a high threat region for long periods of time before reentry, and inspection might not catch the damage.

Backshell doesn't get that hot. It'd take a large impact (easily detected) to damage it enough.

Logged

Chris Whoever loves correction loves knowledge, but he who hates reproof is stupid.

To the maximum extent practicable, the Federal Government shall plan missions to accommodate the space transportation services capabilities of United States commercial providers. US law http://goo.gl/YZYNt0

--snip--Basically they all are detectable. They basically are all correctable (via rescue) as long as you haven't done the deorbit burn yet (in which case you have only minutes of vulnerable time), but still have lots of redundancies even then.

Again, this sounds like corner-cases of corner-cases.

I sincerely, SINCERELY doubt it'll be MMOD that causes the next space disaster.

EDIT:You repeated a lot of the same risks in order to make it sound like a long list. That's why I repeated my responses.

A few points:

The base heat shield is not the only heat shield. The backshell heat shield has no protection. Zero. None. Sufficient penetration of the backshell heat shield is absolutely a LOC event. That this is easily detected is only your assertion and is not necessarily borne out by facts. It depends greatly on what structure and infrastructure exists behind the strike.

Not all failures are immediately detectable. This is undisputable fact, despite your assertions to the contrary.

Nobody is saying that MMOD is the cause of the next space disaster; that is a strawman argument.

Your impression that I simply repeated redundant items belies your failure to understand what I wrote and nothing more. The only thing that I repeated was that there was a strike. Where the strike is, how big it is, and what it hits changes the game completely.

The analyses cover as many corner cases as they can, including the likelihood of loss of redundant systems.

--snip--Basically they all are detectable. They basically are all correctable (via rescue) as long as you haven't done the deorbit burn yet (in which case you have only minutes of vulnerable time), but still have lots of redundancies even then.

Again, this sounds like corner-cases of corner-cases.

I sincerely, SINCERELY doubt it'll be MMOD that causes the next space disaster.

EDIT:You repeated a lot of the same risks in order to make it sound like a long list. That's why I repeated my responses.

A few points:

The base heat shield is not the only heat shield. The backshell heat shield has no protection. Zero. None.

Sure it does. There's a bunch of spam on it.

Quote

Sufficient penetration of the backshell heat shield is absolutely a LOC event.

"Sufficient" meaning a very big hole. Remember, the backshell does not get very hot. And even if it was "penetrated," that's not sufficient to say it'd cause a big problem. What heat is brought in is dissipated by the aluminum structure. Even if you had an actual small burn-through of the aluminum (exceedingly unlikely, even with damage of the backshell enough to be visible), the backshell has such low temperatures (compared to the front) that it's not even necessarily a LOC event because the crew would be wearing pressure suits and there are no wings to fall off.

Quote

That this is easily detected is only your assertion and is not necessarily borne out by facts.

Yeah, it is. Dragon is white and has much smaller area than Shuttle did. And the portion in question is actually facing Station already and much of it can be seen clearly out the window even while docked.

Quote

It depends greatly on what structure and infrastructure exists behind the strike.

The whole surface is painted white. High resolution pictures are already taken of Dragon on departure. Regardless of what's "behind" the strike, a strike large enough to cause the sort of damage you're talking about is most likely to be quite visible.

Quote

Not all failures are immediately detectable. This is undisputable fact, despite your assertions to the contrary.

What assertions? I never said all failures. I said: strikes big enough to do the sort of damage you're talking about are going to leave a mark. MMOD leaves visible craters when it impacts.

Quote

Nobody is saying that MMOD is the cause of the next space disaster; that is a strawman argument.

Did I say that? I wasn't just saying it wouldn't be the cause, I am saying that the probability that it's the cause (and let me clarify here: on a reentry capsule such as Dragon... ISS is a much bigger target) is actually low, thus not only do I not think it's the likely cause, but I'd take a significant handicap on those odds. And the thread title says "NASA class MMOD as primary threat to commercial crew vehicles." So my argument most certainly is not a strawman.

Quote

Your impression that I simply repeated redundant items belies your failure to understand what I wrote and nothing more. The only thing that I repeated was that there was a strike.

Many of the things you stated overlap.

Quote

The analyses cover as many corner cases as they can, including the likelihood of loss of redundant systems.

Sure, but we're talking about significant probabilities that can add up to MMOD being the "primary threat." I find that unlikely.

Primary threat, as long as you take the countermeasures I mentioned, is probably something not fully considered. And I stand by that.

Chris Whoever loves correction loves knowledge, but he who hates reproof is stupid.

To the maximum extent practicable, the Federal Government shall plan missions to accommodate the space transportation services capabilities of United States commercial providers. US law http://goo.gl/YZYNt0

Imagery is not infallible. Impacts that appear small on the entry face can create large amounts of damage farther in -- that cannot be discovered on orbit as they would require disassembly of the hardware. White hardware actually makes identification of strikes in imagery more difficult as it creates difficulties in controlling the image exposure; against the dark background of space, white surfaces tend to get blown out to the point that impact features are difficult to distinguish from other artifacts -- the ISS radiators have the same problem. This is, of course, assuming that the images are of sufficient resolution and perfectly in focus -- not always a valid assumption.

If you read the ASAP report that drove this article, the total mention of MMOD amounts to less than a paragraph. This thread is getting wrapped around the axle on assumptions and incomplete/outdated information. That something is the "primary" threat does not mean the threat is "large." It just means that other identified and controlled threats are "smaller".

This is just another example of NASA's long history of failing to adequately weight the "unknown unknowns" when doing risk assessment. The risk of some other failure mode being far more likely than expected in new vehicles dwarfs the risk of MMOD. For NASA to claim otherwise just makes them look foolish.

The risk of "unknown unknowns" is very hard to quantify. That means when you pay people to spend a lot of time to calculate risks, they focus on the risks that they can quantify and tend to neglect the hard-to-quantify risks, unless they're really smart or trained in such pitfalls. Even then, who wants to say to their boss the answer is "I don't know" when they're being paid to give specific numbers?

If you read the ASAP report that drove this article, the total mention of MMOD amounts to less than a paragraph. This thread is getting wrapped around the axle on assumptions and incomplete/outdated information. That something is the "primary" threat does not mean the threat is "large." It just means that other identified and controlled threats are "smaller".

Chris Whoever loves correction loves knowledge, but he who hates reproof is stupid.

To the maximum extent practicable, the Federal Government shall plan missions to accommodate the space transportation services capabilities of United States commercial providers. US law http://goo.gl/YZYNt0

This is just another example of NASA's long history of failing to adequately weight the "unknown unknowns" when doing risk assessment. The risk of some other failure mode being far more likely than expected in new vehicles dwarfs the risk of MMOD. For NASA to claim otherwise just makes them look foolish.

Emphasis mine.

Minor nit: NASA did not claim this. ASAP did. And although technically ASAP is administered by NASA, ASAP was established by US Congress, and reports to both US Congress and the NASA administrator. ASAP serves as an independent committee reporting on aerospace safety matters at NASA. It was formed after the not-so-independent NASA-led investigation into the Apollo 1 fire.

If damage detection doesn't work one could enclose the vehicles in some shielding after docking.

At least impact events should be easily detectable through vibration sensors. Remember how much data they got from that second stage disintegration? Enough to pinpoint the source of the failure. Any detected impact with some level of energy can then trigger a closer inspection.

Mr. Justin Kerr provided a briefing on MMOD and reviewed the current situation. The Agency has a requirement to achieve a Loss of Crew (LOC) risk of no worse than 1 in 270(1:270) for MMOD. To encourage risk mitigation, the Program has been looking at different ways to approach that. MMOD is the number one contributor to LOC risk and the primary means by which to close the gap between where the Program is and where it wants to be. The strategy that is being taken is to back off to 1:200 for the spacecraft themselves, but to require that the design and vehicle capability be the sole means to achieve that level. Any potential inspections or operational workarounds will be put aside and left for later consideration. That strategy appears to be working well. Both companies are now looking at potential changes to their vehicles to address the MMOD risks.

and

Quote

Regarding the MMOD issue, a decision was made to reallocate the protection for MMOD, which required the providers to focus on the vehicle. Currently, this means that operational procedures must make up the difference. The good news is that the Program has identified operational changes that can do that, but those changes are not “free.” NASA has estimated that those changes will cost the equivalent of $10 million per year until the end of ISS. That begs the question: Can we use other techniques to incentivize the contractors to go beyond the 1:200 requirement? The Program is hoping that the contractors would do that. Mr. Frost opined that he would look very carefully at trying to buy some more protection from the equipment.

At least impact events should be easily detectable through vibration sensors. Remember how much data they got from that second stage disintegration? Enough to pinpoint the source of the failure. Any detected impact with some level of energy can then trigger a closer inspection.

No spacecraft to date uses this. So you spend 500 lbs in wiring, sensors, and avionics to instrument the hell out of a spacecraft to detect strikes. What do you then do with that information? If you haven't already designed the spacecraft to survive the most likely strikes, what good did it do you?

The most important MMOD work happens during the design stage, not the operational stage. You go in with the knowledge that you will sustain a certain number of strikes per unit of time, with a particular distribution of size, velocity, and directionality. You then design the vehicle to withstand as many of these as you can to meet some one-in-whatever probability of mission success. If you're going to use up the mass budget, you use it proactively on shielding and survivability, not reactively on detection.

Dragon already contains strain gauges. Getting shot by a bullet should be detectable without 500lbs of wiring.

Logged

Chris Whoever loves correction loves knowledge, but he who hates reproof is stupid.

To the maximum extent practicable, the Federal Government shall plan missions to accommodate the space transportation services capabilities of United States commercial providers. US law http://goo.gl/YZYNt0

At least impact events should be easily detectable through vibration sensors. Remember how much data they got from that second stage disintegration? Enough to pinpoint the source of the failure. Any detected impact with some level of energy can then trigger a closer inspection.

No spacecraft to date uses this.

And we all know that SpaceX never deviates from what all others have done before them, right?

Edit: sorry but I really, really dislike the argument it has never been done.

Remember that it was said an inspection of the spacecraft for departure would reach the value of 1/270. It would mean they don't depart with that vehicle but wait for a replacement. In the unlikely event of a SpaceStation evacuation they could very likely still use that vehicle, just with reduced safety and redundancy.

A few sensors could reduce that inspection to cases where the spacecraft has actually been hit, not just as a mandatory precaution. The inspection could be performed to find out potential damage at the time of the incident. No need to wait for the planned departure time. So a replacement vehicle could be sent early.

And we all know that SpaceX never deviates from what all others have done before them, right?

Edit: sorry but I really, really dislike the argument it has never been done.

The fact that it has never been done is important here. The technology to detect and pinpoint these events, which are blindingly fast and impart little momentum transfer to fully penetrated hardware is not at the level where it could be applied to complex structure and give meaningful data. Commercial crew is not the place for technology development. NASA wants high TRL solutions, not science experiments.

Quote

Remember that it was said an inspection of the spacecraft for departure would reach the value of 1/270. It would mean they don't depart with that vehicle but wait for a replacement. In the unlikely event of a Space Station evacuation they could very likely still use that vehicle, just with reduced safety and redundancy.

A few sensors could reduce that inspection to cases where the spacecraft has actually been hit, not just as a mandatory precaution. The inspection could be performed to find out potential damage at the time of the incident. No need to wait for the planned departure time. So a replacement vehicle could be sent early.

Did you read the minutes? NASA wants the requirement to be met without requiring inspection.

At least impact events should be easily detectable through vibration sensors. Remember how much data they got from that second stage disintegration? Enough to pinpoint the source of the failure. Any detected impact with some level of energy can then trigger a closer inspection.

Are you aware that you are talking about the people who actually wrote the book on handling risk in scenarios of uncertainty?

Have you forgotten the Shuttle failure predictions from NASA?

Yeah... They may have written the book on it, but they've also had to rewrite the book so many times due to getting it *wrong*. NASA has a long history of putting thumbs on scales and willful ignorance when it comes to risk handling.

At least impact events should be easily detectable through vibration sensors. Remember how much data they got from that second stage disintegration? Enough to pinpoint the source of the failure. Any detected impact with some level of energy can then trigger a closer inspection.

That was used for ascent purposes and was designed to detect strikes of much higher mass and lower velocity and for a much shorter period of time than is being discussed here. To the extent that it was used on orbit, it was notorious for giving false positives.

That was also 66 accelerometers and their associated wiring and data handling hardware for just one small part of the outer mold line of the vehicle. It does not scale nicely. You would need hundreds of sensors, wiring to read data from them, hardware to make sense of that data, and power to make it all work. When the point of the requirement is to make the vehicle safer, your mass budget is much better spent making the vehicle itself less vulnerable to damage than it is trying to pinpoint where it did get hit. These are crew transportation vehicles, not research projects.

Dragon already contains strain gauges. Getting shot by a bullet should be detectable without 500lbs of wiring.

Sure, if you hit really close to a strain gauge and do a lot of damage. Otherwise, they're useless for this....

If a huge MMOD hit Dragon, enough to fatally damage it, it would ring like a bell, like getting shot be a gun. You would hear it, and sound waves can be (and are) picked up by strain gauges. It may not be precise, but knowing that it happened would be useful info.

Logged

Chris Whoever loves correction loves knowledge, but he who hates reproof is stupid.

To the maximum extent practicable, the Federal Government shall plan missions to accommodate the space transportation services capabilities of United States commercial providers. US law http://goo.gl/YZYNt0

Dragon already contains strain gauges. Getting shot by a bullet should be detectable without 500lbs of wiring.

Sure, if you hit really close to a strain gauge and do a lot of damage. Otherwise, they're useless for this....

If a huge MMOD hit Dragon, enough to fatally damage it, it would ring like a bell, like getting shot be a gun. You would hear it, and sound waves can be (and are) picked up by strain gauges. It may not be precise, but knowing that it happened would be useful info.

If a huge MMOD (hint: what does the first M stand for?) hit anything attached to station, we would have dozens of ways of knowing it immediately. Strain gauges offer nothing of value here.

I suspect that spacecraft will be shielded against strikes up to a certain size and made to detect larger strikes. There is likely to be an overlap between the shield and detection sizes. It may also be particle momentum rather than size that is detected. Weak points such as windows may need additional detectors.

Dragon already contains strain gauges. Getting shot by a bullet should be detectable without 500lbs of wiring.

Sure, if you hit really close to a strain gauge and do a lot of damage. Otherwise, they're useless for this....

If a huge MMOD hit Dragon, enough to fatally damage it, it would ring like a bell, like getting shot be a gun. You would hear it, and sound waves can be (and are) picked up by strain gauges. It may not be precise, but knowing that it happened would be useful info.

If a huge MMOD (hint: what does the first M stand for?)

huge being relative, of course. It'd have to be huge to make any fatal damage.

Logged

Chris Whoever loves correction loves knowledge, but he who hates reproof is stupid.

To the maximum extent practicable, the Federal Government shall plan missions to accommodate the space transportation services capabilities of United States commercial providers. US law http://goo.gl/YZYNt0

Chris Whoever loves correction loves knowledge, but he who hates reproof is stupid.

To the maximum extent practicable, the Federal Government shall plan missions to accommodate the space transportation services capabilities of United States commercial providers. US law http://goo.gl/YZYNt0

That's a lot of words rather than just admitting you're wrong. That doesn't mean it was perfect or even worthwhile, but a spacecraft has indeed used such a system.

It's not the same system. It wasn't designed to be used to detect MMOD strikes, and -- surprise -- it didn't do a good job of doing so. No human spacecraft has flown with an MMOD strike detection system.

Did you read the minutes? NASA wants the requirement to be met without requiring inspection.

I got that. Are you saying, NASA won't agree to inspections when they know, there is something wrong? Just insisting it is the sole problem of the contractor? Seriously?

I'm almost positive that they'll do inspections anyway. The inspections, however, can't be part of the path to meeting requirements. The vehicles have to do that by themselves.

So in other words, compound conservatism. Sounds like a good recipe to increase overall costs.

If you already have the assets and the capability to do a photographic inspection on orbit prior to or just after departure, why wouldn't you? They did it for Shuttle, they did it for Soyuz. All things told, the cost of doing the imagery vs not doing the imagery is minor. What NASA is saying is "no, you can't skimp on shields by saying 'oh, they'll just catch it with imagery once we're up there.' Your spacecraft has to be safe even without imagery."

Dragon already contains strain gauges. Getting shot by a bullet should be detectable without 500lbs of wiring.

Sure, if you hit really close to a strain gauge and do a lot of damage. Otherwise, they're useless for this....

If a huge MMOD hit Dragon, enough to fatally damage it, it would ring like a bell, like getting shot be a gun. You would hear it, and sound waves can be (and are) picked up by strain gauges. It may not be precise, but knowing that it happened would be useful info.

ISTR astronauts saying they could hear MMOD strikes on the ISS. That suggests non-fatal hits can be picked up by microphones. Spread a few along the main structures and triangulate to find the source, that should take far less than 500 lbs.

Dragon already contains strain gauges. Getting shot by a bullet should be detectable without 500lbs of wiring.

Sure, if you hit really close to a strain gauge and do a lot of damage. Otherwise, they're useless for this....

If a huge MMOD hit Dragon, enough to fatally damage it, it would ring like a bell, like getting shot be a gun. You would hear it, and sound waves can be (and are) picked up by strain gauges. It may not be precise, but knowing that it happened would be useful info.

ISTR astronauts saying they could hear MMOD strikes on the ISS. That suggests non-fatal hits can be picked up by microphones. Spread a few along the main structures and triangulate to find the source, that should take far less than 500 lbs.

If that even works (signal-to-noise ratio issues abound here), what would that accomplish? You look at it and go, "yep, that's a strike." Then what?

So in other words, compound conservatism. Sounds like a good recipe to increase overall costs.

NASA learned the hard way that just because a backup is in place, you cannot get away with a deficiency in a primary system.

In this case, the primary system is the vehicle's resilience to MMOD. The backup is inspections and operational precautions. Now I think it's perfectly reasonable to ask that the threat model not be over exaggerated and be backed up by solid data, but asking that the spacecraft handle the lion's share of the risk on their own is not unreasonable at all.

It's not the same system. It wasn't designed to be used to detect MMOD strikes, and -- surprise -- it didn't do a good job of doing so. No human spacecraft has flown with an MMOD strike detection system.

It had accelerometers to sense impacts and it was capable of detecting MMOD strikes. I didn't say it was good. But it flew, and it existed.

Not sure what angle you're pushing from here, but I'm content to drop it at that.

If that even works (signal-to-noise ratio issues abound here), what would that accomplish? You look at it and go, "yep, that's a strike." Then what?

If pieced into the main room duck tape a patch across the hole to stop the air escaping. Pipes can be sealed with a plaster. Broken windows can be covered.

Damage to outside parts of the spacecraft may have to be repaired by a robot or EVA. Such a repair was performed to the ISS solar panels on January 30, 2007. There may be a way to glue or weld heat shield material across a hole the size of Columbia's.

If that even works (signal-to-noise ratio issues abound here), what would that accomplish? You look at it and go, "yep, that's a strike." Then what?

If pieced into the main room duck tape a patch across the hole to stop the air escaping. Pipes can be sealed with a plaster. Broken windows can be covered.

Damage to outside parts of the spacecraft may have to be repaired by a robot or EVA. Such a repair was performed to the ISS solar panels on January 30, 2007. There may be a way to glue or weld heat shield material across a hole the size of Columbia's.

More likely IMO send a replacement vehicle up and use the damaged one only in the very unlikely case of a ISS evacuation. BTW if the pressure hull is compromised it is not only quite easy to fix but will inevitably be detected.

If that even works (signal-to-noise ratio issues abound here), what would that accomplish? You look at it and go, "yep, that's a strike." Then what?

If pieced into the main room duck tape a patch across the hole to stop the air escaping. Pipes can be sealed with a plaster. Broken windows can be covered.

Damage to outside parts of the spacecraft may have to be repaired by a robot or EVA. Such a repair was performed to the ISS solar panels on January 30, 2007. There may be a way to glue or weld heat shield material across a hole the size of Columbia's.

If that even works (signal-to-noise ratio issues abound here), what would that accomplish? You look at it and go, "yep, that's a strike." Then what?

If pieced into the main room duck tape a patch across the hole to stop the air escaping. Pipes can be sealed with a plaster. Broken windows can be covered.

Damage to outside parts of the spacecraft may have to be repaired by a robot or EVA. Such a repair was performed to the ISS solar panels on January 30, 2007. There may be a way to glue or weld heat shield material across a hole the size of Columbia's.

More likely IMO send a replacement vehicle up and use the damaged one only in the very unlikely case of a ISS evacuation. BTW if the pressure hull is compromised it is not only quite easy to fix but will inevitably be detected.

Nothing is "quite easy to fix" in space.

If the pressure shell is compromised that means there exists a hole in the back shell that would also need to be fixed. And these fixes would have to withstand reentry.

If the pressure shell is compromised that means there exists a hole in the back shell that would also need to be fixed. And these fixes would have to withstand reentry.

How do you get this idea? The backshell is very well protected by the trunk and protective coating. Anything penetrating the pressure hull will come from the side. A patch is easily applied from the inside.

If the pressure shell is compromised that means there exists a hole in the back shell that would also need to be fixed. And these fixes would have to withstand reentry.

How do you get this idea? The backshell is very well protected by the trunk and protective coating. Anything penetrating the pressure hull will come from the side. A patch is easily applied from the inside.

The back shell is the side. You're thinking of the heat shield, which is mostly protected by the service module. The back shell also protects the vehicle from reentry gasses/temperatures.

A couple of thoughts--Using accelerometers to detect impacts might work above some threshold. But how to remove the non-impact twitches? (E.g., collant flowing, astronauts shifting in seats, etc.). You can't have the master alarm going off every 10 seconds.

-Triangulating sounds would probably be a nasty business of modeling, because the microphones are (presumably) attached to metal, and the sound waves would be propagating through the metal structures of the spacecraft. You'd need to have some sort of acoustical model (edit: which could well be very different than the one used to analyze launch noise) and pinpointing a hit for detailed inspection might not be possible. I could easily imagine saying, "Oh, we took a hit on the aft," but saying, "It's at PICA chunk 387" or whatever sounds like too much to ask.

-There was a good point made above, that just because the analysis says MMOD is the risk driving the LOCV stats doesn't mean it's that much worse than any number of others. If MMOD is 1/1500, say, there may be a whole bunch at 1/1510. We will almost surely not be told thedetailed numbers for proprietary reasons. I doubt Contractor A wants Contractor B to know their numbers and be able to snipe at them in reports and future proposals.

-The two losses with which I'm most familiar, the shuttles, were from what I think of as known-knowns that turned out to be what I might describe as unknown-knowns (to coin a Rumsfeldian variant). That is, both failure modes were recognized, but inaccurately characterized to the extent that they were judged as low risks, even though that did not turn out to be the case. It seems to me that mischaracterized risk is different than a known-unknown. Does that make sense?

If that even works (signal-to-noise ratio issues abound here), what would that accomplish? You look at it and go, "yep, that's a strike." Then what?

If pieced into the main room duck tape a patch across the hole to stop the air escaping. Pipes can be sealed with a plaster. Broken windows can be covered.

Damage to outside parts of the spacecraft may have to be repaired by a robot or EVA. Such a repair was performed to the ISS solar panels on January 30, 2007. There may be a way to glue or weld heat shield material across a hole the size of Columbia's.

A couple of thoughts--Using accelerometers to detect impacts might work above some threshold. But how to remove the non-impact twitches? (E.g., collant flowing, astronauts shifting in seats, etc.). You can't have the master alarm going off every 10 seconds.

-Triangulating sounds would probably be a nasty business of modeling, because the microphones are (presumably) attached to metal, and the sound waves would be propagating through the metal structures of the spacecraft. You'd need to have some sort of acoustical model (edit: which could well be very different than the one used to analyze launch noise) and pinpointing a hit for detailed inspection might not be possible. I could easily imagine saying, "Oh, we took a hit on the aft," but saying, "It's at PICA chunk 387" or whatever sounds like too much to ask.

-There was a good point made above, that just because the analysis says MMOD is the risk driving the LOCV stats doesn't mean it's that much worse than any number of others. If MMOD is 1/1500, say, there may be a whole bunch at 1/1510. We will almost surely not be told thedetailed numbers for proprietary reasons. I doubt Contractor A wants Contractor B to know their numbers and be able to snipe at them in reports and future proposals.

-The two losses with which I'm most familiar, the shuttles, were from what I think of as known-knowns that turned out to be what I might describe as unknown-knowns (to coin a Rumsfeldian variant). That is, both failure modes were recognized, but inaccurately characterized to the extent that they were judged as low risks, even though that did not turn out to be the case. It seems to me that mischaracterized risk is different than a known-unknown. Does that make sense?

Triangulation.

The speed of sound in aluminium is 6320 m/s.

Triangulation can work by differences in volume and the delay between sensors hearing the bang. To detect down to 1 cm 0.01 m (0.39 inches) the surface would have to be sampled 2*6320/0.01 = 1,264,000 times a second.

There are many off the shelf analoge-to-digital chips that will sample 8 bits a million times a second; for instance the Texas Instruments ADS7040, temperature range –40°C to 125°C, which costs less than a dollar.

To detect MMOD an accuracy of 5 cm may be sufficient. Aluminium is also a (near) worst case problem since it is a very good conductor of sound. At about 355 m/s air is an order of magnitude slower.

A practical system would have to handle several different types of material and filter out false alarms such as astronauts bouncing off the walls. I suspect that liquids going though pipes sounds different from the bang of something hitting the outside of a capsule.

Distinguishing a MMOD from normal station sounds is the easiest thing ever. It will have a very short sharp attack to identify. A very simple filter will do that. Even a hammer blow will be much slower.

They have devised materials to repair the Shuttle heat shield to some extent. Finding materials to mend a small hull breach will be many orders of magnitude easier. We are not talking about large ones as they will be exceedingly rare.

Others have already commented on triangulation. That may be somewhat tricky but once an impact is identified as MMOD it is worth the effort.

Distinguishing a MMOD from normal station sounds is the easiest thing ever. It will have a very short sharp attack to identify. A very simple filter will do that. Even a hammer blow will be much slower.

They have devised materials to repair the Shuttle heat shield to some extent. Finding materials to mend a small hull breach will be many orders of magnitude easier. We are not talking about large ones as they will be exceedingly rare.

Others have already commented on triangulation. That may be somewhat tricky but once an impact is identified as MMOD it is worth the effort.

-Triangulating sounds would probably be a nasty business of modeling, because the microphones are (presumably) attached to metal, and the sound waves would be propagating through the metal structures of the spacecraft. You'd need to have some sort of acoustical model (edit: which could well be very different than the one used to analyze launch noise) and pinpointing a hit for detailed inspection might not be possible. I could easily imagine saying, "Oh, we took a hit on the aft," but saying, "It's at PICA chunk 387" or whatever sounds like too much to ask.

Triangulation.

The speed of sound in aluminium is 6320 m/s.

Triangulation can work by differences in volume and the delay between sensors hearing the bang. To detect down to 1 cm 0.01 m (0.39 inches) the surface would have to be sampled 2*6320/0.01 = 1,264,000 times a second.

There are many off the shelf analoge-to-digital chips that will sample 8 bits a million times a second; for instance the Texas Instruments ADS7040, temperature range –40°C to 125°C, which costs less than a dollar.

To detect MMOD an accuracy of 5 cm may be sufficient. Aluminium is also a (near) worst case problem since it is a very good conductor of sound. At about 355 m/s air is an order of magnitude slower.

A practical system would have to handle several different types of material and filter out false alarms such as astronauts bouncing off the walls. I suspect that liquids going though pipes sounds different from the bang of something hitting the outside of a capsule.

I understand triangulation. But you'd probably end up with diffraction effects, reflections, etc., and the speed of sound depends on the tension in the metal, and... And you need a system that can handle that in near-real-time. Hence the spirit of my comment.

No, you really don't need that though it would be good to have. You need a system that can distinguish between MMOD hits and other noises near real time. If you have a hit there is ample time to analyze. The vast majority of its time in space the spacecraft will be docked to the station. So that's the time thad adds most of the risk.

-Triangulating sounds would probably be a nasty business of modeling, because the microphones are (presumably) attached to metal, and the sound waves would be propagating through the metal structures of the spacecraft. You'd need to have some sort of acoustical model (edit: which could well be very different than the one used to analyze launch noise) and pinpointing a hit for detailed inspection might not be possible. I could easily imagine saying, "Oh, we took a hit on the aft," but saying, "It's at PICA chunk 387" or whatever sounds like too much to ask.

Triangulation.

The speed of sound in aluminium is 6320 m/s.

Triangulation can work by differences in volume and the delay between sensors hearing the bang. To detect down to 1 cm 0.01 m (0.39 inches) the surface would have to be sampled 2*6320/0.01 = 1,264,000 times a second.

There are many off the shelf analoge-to-digital chips that will sample 8 bits a million times a second; for instance the Texas Instruments ADS7040, temperature range –40°C to 125°C, which costs less than a dollar.

To detect MMOD an accuracy of 5 cm may be sufficient. Aluminium is also a (near) worst case problem since it is a very good conductor of sound. At about 355 m/s air is an order of magnitude slower.

A practical system would have to handle several different types of material and filter out false alarms such as astronauts bouncing off the walls. I suspect that liquids going though pipes sounds different from the bang of something hitting the outside of a capsule.

I understand triangulation. But you'd probably end up with diffraction effects, reflections, etc., and the speed of sound depends on the tension in the metal, and... And you need a system that can handle that in near-real-time. Hence the spirit of my comment.

What he said. Every structural connection, every interface, every free surface, and every rivet, bolt, and screw will reflect transmitted waves, absolutely confounding attempts to triangulate event locations. Ever wonder why GPS acts weird when you're around a lot of tall buildings? Same problem -- you have no way of knowing if the signal you received is from a straight line-of-sight or from a reflection. Triangulation is only simple for simple hardware. For real hardware that people actually use, it's not even close to being a simple problem.

The only way to get useful data with any reasonable time frame would be to have hundreds of sensors, which requires hundreds of wires, all of which weigh something. You also need the computing infrastructure to make sense of that data and the power to run it all. Automated debris strike detection and location is a very low TRL research project at this point and has no business being relied upon in a production spacecraft.

The pressure shell itself is almost never directly accessible by the crew. There is all manner of interior outfitting in the way. Wire harnesses, fluid lines, ducts, avionics, stowage, bump shields, other hardware, etc.

Major damage is rare. You don't even have to mend them. Just keep the door closed and take a different vehicle down. The issue you're trying to address here is otherwise-undetected significant damage leading to loss-of-crew.

We're worried about LOC. LOM is more acceptable (provided it's still rare).

« Last Edit: 08/31/2016 03:46 PM by Robotbeat »

Logged

Chris Whoever loves correction loves knowledge, but he who hates reproof is stupid.

To the maximum extent practicable, the Federal Government shall plan missions to accommodate the space transportation services capabilities of United States commercial providers. US law http://goo.gl/YZYNt0

Major damage is rare. You don't even have to mend them. Just keep the door closed and take a different vehicle down. The issue you're trying to address here is otherwise-undetected significant damage leading to loss-of-crew.

We're worried about LOC. LOM is more acceptable (provided it's still rare).

Keeping the door (hatch) closed is a mitigation for PNP (where damage to the visiting vehicle creates a hazard to ISS), not LOC/LOM. In any case, the need for immediate safe harbor for crew members in the event of conjunctions, leaks, and toxic atmosphere events makes that mitigation step absolutely unacceptable for anything but contingency operations, meaning it can't be considered a hazard control on which to base the risk numbers.

A good rule of thumb when it comes to MMOD analysis and mitigation design: if it's simple and intuitive without heavy background experience, it is most likely wrong. There are a number of people in this thread who have direct experience with this. Listen to what they are saying.

Not to beat this thing to death, but triangulation wouldn't be as bad as you might think. You mostly just need to use the first indication from each sensor and ignore all the rest to eliminate reflections, long path and second time around signals and any other source that's not the most direct route through the metal. It shouldn't be too hard to filter out sensors that are inconsistant with most of the rest. Good GPS receivers can do the same thing to overcome multipath in addition to ignoring signals that don't match up with the rest. Coming up with an arthroscopic type probe and repair tool for the hard to reach spots would be an interesting project.

It is probably too late for the CCDev craft but NASA is planning spacestations, Moon & Mars habitats, landers, manned rovers and long range transfer vehicles containing both habitats and large propellant tanks. These are at early stages of development.

NASA could commission tasks to devise light weight monitoring equipment and triangulation techniques suitable for complex shapes such as spacecrafts. The sensors could be further apart in some sections.